[asterisk-users] Is there a public blacklist of hackers' IPaddresses?

[SIP]

randulo wrote:
> This brings up a side issue. Banks on the Internet have had to provide
> a sort of insurance that allows the customer to be protected if
> someone hacks in to his or her account. ITSP will need to think
> carefully about having a similar policy that protects people from an
> attack to the provider, no?
>
> What do those of you who sell these services thing about liability?
> Has anyone come up with a statement on this?
>
> /r
>
>   

The customer IS protected because it's excellent marketing for the bank
or credit card provider. If someone steals my card number and racks up a
bunch of charges, I'm often not liable for those charges (dependent, of
course, on bank policy).  However, the seller who was duped into selling
those items because the bank approved the charges on the card? They're
simply out of luck. They're charged any relevant charge-back fees AND
are out any fees for services or product losses they may have incurred.
The bank still gets its money.

In the end, SOMEone has to pay.

As an end-point ITSP, I can assure you, it would be us who's assessed
the requisite charges. If someone uses a fraudulent card, we're required
to pay. If someone uses a three letter password on his account, and it's
hacked into and uses to rack up charges, we have to pay.

In the purely virtual sense, as we're often selling to people we've
never met via the Internet, it becomes difficult to say with any
certainty if the person who logged into the account and used up the
account's money is a hacker or just the account holder who doesn't want
to own up to the charges. It puts us in a difficult position. 
Obviously, in some cases, this becomes more obvious. If the account
holder is in the UK and the calls come in from China or Nigeria or
Turkey or some such, it would be more likely to be suspect and if the
account holder challenged the charges, we might be more liable to work
with him or her.

However, for the most part, we require a certain 'strength' of password
to be used, and we rely on safeguards and monitors on the site itself to
try and avoid brute force hacks. With no evidence for a brute force
attempt or some other security failure on our side, we're somewhat at
the mercy of logic to assume that calls from a customer's premises using
a customer's account actually came from the customer, and I think we
might be hard pressed to simply ignore said charges.

If the security failure is clearly ours, though, I don't think it would
be at all reasonable to expect the customer to accept responsibility.
I'd be especially wary of a company that blamed the customer for its own
security failings.

-- 
Neil Fusillo
CEO
Infinideas, inc.
http://www.ideasip.com